Wednesday, May 21, 2014

VLANs offer awesome network segmentation and help prevent an attacker from pivoting mercilessly throughout the network. I would hazard to say that all Fortune 500 companies employ VLANs as a rudimentary security measure. But what about smaller companies? In my experience though, most small businesses (less than 100 computers) are very unlikely to have VLANs employed. This makes sense since network segmentations with so few machines makes less sense (the overhead is too high).

For businesses with a larger number of machines (let's say 500-5,000), VLANs clearly make sense. The security benefits of VLANs are undeniable and for this number of machines the overhead to gain the security is not as onerous. But how many companies in this range use VLANs?

I certainly have my own experiences in consulting. I'd share those experiences, but my clients (all of whom I've signed NDA's with) might (will) have issues with that. To get some data I can release, I reached out to some friends who also run infosec consulting companies. For obvious reasons, these businesses will remain nameless. I don't like posting data where I can't name the source, but I was unable to find this data anywhere on line. I even tried reaching out to my social network to get it, but no primary research source could be found. So my goal here is to actually establish a source of some kind.

I surveyed three consulting firms targeting different verticals (healthcare, finance, and manufacturing). Each firm reported dealing with 20-50 different customers over the last 12 months. I didn't get specific metrics for each vertical, only in aggregate. These three firms reported 21%, 22%, and 17% VLAN use in their customer bases over the last twelve months. This means that for businesses of this size, we should expect about one in five to employ VLANs.

Is this scientific data? Nope, far from it. It is on the other hand pretty representative of what I've seen over the years in consulting. Again, my goal here is to get some reference out there that details the adoption rates of VLANs in medium sized businesses. If your experience is the same, please drop a comment affirming this data. If your experience differs, please let me know that too (blog comments are best so others can see the public dissent). But best of all, if you know of an actual authoritative source for this, please, please, please post a link in the comments.